In <news:[email protected]>,
Bill Davidsen <[email protected]> wrote:
> Robert Kaiser wrote:
> > Phillip Jones schrieb:
> >> As I said, It ain't going to happen, Unless someone comes up with
> >> an extension to add it back. And that not going to pass with the
> >> mozilla big-wigs. They don't want it.
> >
> > An extension probably cannot change this, what it would need would
> > be a thorough security review of the affected code. It's not about
> > wanting or not wanting it, it's about being able to guarantee
> > security. This seems to be a concept that a number of people here
> > don't seem to grasp anyhow, or intentionally neglect.
>
> The concept missed is that's its OUR computer. No one is asking you
> to guarantee security or anything else, we just want the option of JS
> on a per-newsgroup or rss feed basis. I agree it should be turned
> off, I'm comfortable that the option to turn it on have all sorts of
> warnings, but you sound like a mix of Microsodft and a smothering
> mother, saying that you know whats best. It's one thing to to leave a
> feature out because it isn't in TB or FF, but to take away user
> choice is a different thing.
Releasing something that will run incoming javascript without any
security model in place to the public (not just to *your* computer)
would be so insanely irresponsible that you can't find any software
vendor willing to do it. This isn't in the category of things that
should be off by default because they're risky or things that should
carry warnings because they're risky, it's firmly in the category of
things nobody is ever going to release because they would be
intentionally harming users.
And since neither SeaMonkey nor Mozilla Messaging have the resources to
implement a working security model for it, you're stuck.
The options are to hire someone (expensive, since it will have to be a
security expert) to do it or to convince Mozilla Messaging that it's so
vitally important that they should drop other things to work on it.
Trying to convince the SM team that it's so vitally important that they
should do it won't do any good, since even if they came to agree with
you, they *can't* do it; they don't have enough people to do it and
they don't have the right skills to do it.
(And, FWIW, you can have javascript in RSS feeds executed by SM.)
--
»Q« /"\
ASCII Ribbon Campaign \ /
against html e-mail X
<http://asciiribbon.org/> / \
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
